You’ve been searching for ways to remain in compliance with the GDPR and the CCPA.
Understanding the difference between CCPA and GDPR can be complex. There is so much information to sift through and it’s overwhelming.
How do you know if your business is compliant with one, both, or neither?
For businesses operating in California, it’s important to understand both and what they mean for your business. A simple “notice and choice” option for consumers is not enough to give consumers rights over their information.
There are ways to check whether your company needs to comply with GDPR, CCPA, or both, and what this looks like.
In this guide, we are going to explain how to tell which regulation applies to your business, how to learn if your business is compliant, and how we can help you achieve it.
Table of Contents
- What are GDPR and CCPA?
- Key Differences Between GDPR and CCPA
- What CCPA and GDPR Compliance Guidelines Mean For Your Business
- How CompilerWorks Can Help
- Enabling GDPR and CCPA Compliance With CompilerWorks
What are GDPR and CCPA?
The GDPR and CCPA are essential data privacy laws that affect businesses around the world. They both protect consumers’ privacy.
This is great news for consumers.
The bad news is, compliance with the General Data Protection Regulation (GDPR) does not guarantee compliance with the California Consumer Privacy Act (CCPA).
We’re going to briefly explain each and how this may affect you.
On May 25th, 2018, the European Union passed one of the toughest privacy and security laws in the world: The General Data Protection Regulation (GDPR). This law applies to anyone that targets or collects data related to people in the EU.
Let’s say that your enterprise tracks EU visitors to your website. You see that their IP address falls in EU territory.
You might want to know:
- Their browsing activity
- The kind of computer they’re using
- Other accounts they’ve logged into
- Information from tracking cookies etc.
These companies are now under the legal scope of the GDPR. Many major U.S. based companies are affected by this.
Here’s how it’s supposed to work.
Rights transparency is central to the GDPR.
The GDPR requires companies to inform consumers about types of data being collected about them, and why. Consumers had to agree to many updated terms of service by that deadline, May 25th.
If they didn’t, they could no longer use that site.
If a business doesn’t comply, the penalties can be steep: Up to 4% of your company’s global annual revenue or 20 million euros. Whichever is higher.
There are some exceptions to the rule.
If you’re collecting email addresses and contact information to organize a birthday party, the GDPR will not apply to you. It applies to solely professional or commercial activity.
There are some limits to these exceptions.
In 2016, former California Attorney General, Kamala Harris, released a report detailing a data breach that affected about 49 million California residents.
This shined a spotlight on the need for greater security on the web. And with an economy bigger than the UK, California needed their own solution.
The 2020s have become the decade where the U.S. really gets serious about data security. The California Consumer Privacy Act (CCPA) came into effect on January 1st, 2020. Enforcement began July 1st, 2020.
The CCPA gives consumers more control over the personal information that businesses collect about them.
In preparation, you might have begun to get your house in order long ago. So who does it apply to?
It applies to any company that meets all of these requirements:
- The company operates within California
- It makes at least $25 million in revenue
- Or whose primary business is the sale of personal information
Here’s a simple list of CCPA consumer rights. Consumers have the right to:
- Information about how their personal data is processed
- Opt-out of the sale of personal information
- To delete personal information
- Non-discrimination for exercising these consumer rights
- To direct private right of action for certain data breaches
- For Minors: they have the right to opt-IN to the sale of their personal information
What happens if you violate the CCPA?
California Attorney General Xavier Becerra told Reuters in 2019: “If they are not (operating properly) … I will descend on them and make an example of them, to show that if you don’t do it the right way, this is what is going to happen to you.”
The hammer will come down.
Key Differences Between GDPR and CCPA:
The GDPR and CCPA often use different definitions, scopes, and exceptions to their regulations. For example, the CCPA defines “personal data” more broadly and includes data about devices. The GDPR focuses on specific individuals and is less process-oriented than the CCPA.
The CCPA requires a different scope of privacy disclosures than the GDPR.
According to the GDPR, “personal data” is defined broadly to mean “any information relating to an identified or identifiable person”. This includes things like:
- IP addresses
- Device IDs etc.
Under the CCPA, “personal data” is expanded to data associated with a household.
Adhering to the GDPR may not allow your company to be compliant with CCPA. Keep reading to look at some primary CCPA and GDPR differences.
Data Collection Practices
The CCPA and the GDPR are constantly changing and adapting to new technologies. As a result, the specific measures businesses need to take are unfortunately vague.
As you collect personal data, the GDPR requires consumer rights disclosure that covers such things as:
- Purpose limitation
- Collecting on the minimal amount of data necessary
- Collecting accurate data
- Encrypt or pseudonymize data where possible
The CCPA has more specific consumer rights regarding the collection and sale of their data:
- Consumers must be informed of what categories of information are being collected. This can include IP addresses, internet activity, geolocation data, education information, and more.
- Consumers must be notified about why this information is being collected. How will this information be used?
- The right to request the deletion of this information must be disclosed, as well as the limitations to these rights.
- Are there any additional categories of data that are being collected? Any additional purposes this data can be used for? The consumer must also be notified of this.
Additional disclosures need to be made if the information is being sold or disclosed for business purposes.
Enforcement and Nondiscrimination Practices
In order to compare GDPR and CCPA, it’s important to look at how infractions are assessed.
The GDPR looks at global revenue. These fines reach up to 2% – 4% depending on the nature of the infraction. This can mean huge numbers especially for some well-known companies in Silicon Valley.
The CCPA looks at how many consumers are affected. For civil penalties, the California Attorney General may require $2,500 per violation. Intent matters. This can be up to $7,500 if the violation is intentional.
You can take a deep breath. There is a 30 day cure period for violations with given notice.
The CCPA and GDPA provide consumers with a “right to non-discrimination”. Under both, a business must not use collected information to discriminate against a consumer.
What CCPA and GDPR Compliance Guidelines Mean For Your Business
In order to protect your business, it’s beneficial to compare CCPA vs GDPR compliance and find out what consumer rights apply.
What does this mean for businesses in California?
Non-compliance comes with some steep costs. Happily, there are no specific encryption strengths or technologies you need to be compliant with.
For data collection compliance, the GDPR has 6 criteria that must be met:
- The data must be collected lawfully, fairly, and in a transparent manner.
- It must be collected for a legitimate reason and with limited purposes.
- It must be adequate, limited to what is necessary and relevant.
- Data must be accurate and kept up to date where necessary.
- The data must be kept in an identifiable form no longer than necessary.
- Data must be processed securely.
There are checklists upon checklists to remain compliant with every section of the GDPR. Combing through acquired data from consumers, manually looking for the purpose of each line of code, is a tedious process.
Here are some key suggestions in order to align with CCPA regulations:
- You’ll need to know where your data is. You can use the cloud environment or data warehouse to manage this.
- Encrypt or redact your data.
- If you’re selling personal information, be sure to track, and respond to, opt-in and opt-out requests.
- Offer two ways for a consumer to opt-out of the sale of their data.
Another key way to remain in compliance is to have a robust data inventory. You need to know why you have that data and who should have access to it. This requires data mapping— which is the process of creating data element mappings between two distinct data models.
Data mapping can help you with processes like:
- Data migration— the process of moving data from one application to another.
- Data integration— the process of combining data from different sources into a single, unified view.
- Data transformation— the process of converting data from one data structure to another.
- Data warehousing— the process of constructing and utilizing a data warehouse.
How CompilerWorks Can Help
An ideal compliance solution must empower a data protection officer to:
- Have the ability to identify PII wherever it is in the organization’s data infrastructure
- Highlight wherever PII is used for analysis
- Have the ability to enable the destruction of PII for any selected individual across the entire organization
These requirements should not be restricted to individual departments or certain data processing repositories, but impact cross-functional areas in the entire organization.
To solve challenges imposed by compliance, a DPO must be enabled to:
- Track processing and data movement across organizational and technological boundaries
- Audit data processing and access
- Complete comprehensive analyses of data flow
CompilerWorks offers the ideal solution to compliance challenges by enabling the platform to deliver compliance utilizing the lineage fabric and CompilerWorks lineage solution built around it.
Enabling GDPR and CCPA Compliance With CompilerWorks
The lineage fabric developed by CompilerWorks is generated with a standard process regardless of the application area.
PII can be identified anywhere in an organization’s data storage and processing center to deliver compliance. This allows the DPO to directly identify PII and allows others across the organization to tag PII.
Automatically, the lineage model tracks the preservation of the PII across the data infrastructure. The DPO can then track PII enterprise-wide consistently with particular enterprise policies.
By integrating the identification of PII with the lineage model, automated analyses can be enabled, such as:
- Tracking PII data movement at the column row level:
- Data copying
- PII “leakage”
- Audit of data access— which allows for specific, time-stamped identification of which users/ systems view each piece of PII.
- Destruction of PII from the data source throughout the entire data infrastructure.
This allows for the DPO to not only demonstrate compliance to management and the authorities but also control the data access and usage across the entire organization and processing infrastructure.
With the CompilerWorks lineage model, compliance is simplified.